Re: question squid + firewall + http server inside firewall

To: List - Debian Security <debian-security@lists.debian.org>
Subject: Re: question squid + firewall + http server inside firewall
From: Filippi Marco <filippi@dei.unipd.it>
Date: Thu, 5 Jun 2003 09:07:03 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.55.0306050852270.25500@barbara>
In-reply-to: <[🔎] 3EDEE067.5000606@hanaden.com>
References: <[🔎] D61B641F4EB7CB48836698343A4FE9F001B310@apollo2.olympus.dytech.com.au> <[🔎] 3EDEE067.5000606@hanaden.com>

My idea: connection coming from inside network to the firewall going to
the web server are not considered by the rules

> >>$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \
> >>         -s 0/0 --dport http \
> >>         -j DNAT --to-destination 192.168.1.2:80
> >>$PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \
> >>         -o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport http \
> >>         -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

I would try adding
$PROG -t nat -A PREROUTING -i $NIC_INTERNAL -p tcp \
         -s $INTERNAL_NETWORK --dport http -d $EXTERNAL_HTTP_ADDR\
         -j DNAT --to-destination 192.168.1.2:80
$PROG -t mangle -A FORWARD -i $NIC_INTERNAL -s $INTERNAL_NETWORK \
         -o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport http \
         -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Hope this can help

	Marco

Reply to:

References:
- RE: question squid + firewall + http server inside firewall
  - From: "Michael Sharman" <michael.sharman@dytech.com.au>
- Re: question squid + firewall + http server inside firewall
  - From: Hanasaki JiJi <hanasaki@hanaden.com>

Prev by Date: RE: question squid + firewall + http server inside firewall
Next by Date: Keeping files away from users
Previous by thread: Re: question squid + firewall + http server inside firewall
Next by thread: RE: question squid + firewall + http server inside firewall
Index(es):
- Date
- Thread